Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Flag security alerts and pass versions through #144

Merged
merged 11 commits into from
Feb 22, 2022
19 changes: 19 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -25,8 +25,17 @@ jobs:
uses: dependabot/fetch-metadata@v1.1.1
with:
github-token: "${{ secrets.GITHUB_TOKEN }}"
alert-lookup: true
```

Supported inputs are:

- `github-token` (REQUIRED string)
- The `GITHUB_TOKEN` secret
- `alert-lookup` (boolean)
- If `true`, then call populate the `alert-state`, `ghsa-id` and `cvss` outputs.
- Defaults to `false`

Subsequent actions will have access to the following outputs:

- `steps.dependabot-metadata.outputs.dependency-names`
Expand All @@ -43,6 +52,16 @@ Subsequent actions will have access to the following outputs:
- The `package-ecosystem` configuration that was used by dependabot for this updated Dependency.
- `steps.dependabot-metadata.outputs.target-branch`
- The `target-branch` configuration that was used by dependabot for this updated Dependency.
- `steps.dependabot-metadata.outputs.previous-version`
- The version that this PR updates the dependency from.
- `steps.dependabot-metadata.outputs.new-version`
- The version that this PR updates the dependency to.
- `steps.dependabot-metadata.outputs.alert-state`
- If this PR is associated with a security alert and `alert-lookup` is `true`, this contains the current state of that alert (OPEN, FIXED or DISMISSED).
- `steps.dependabot-metadata.outputs.ghsa-id`
- If this PR is associated with a security alert and `alert-lookup` is `true`, this contains the GHSA-ID of that alert.
- `steps.dependabot-metadata.outputs.cvss`
- If this PR is associated with a security alert and `alert-lookup` is `true`, this contains the CVSS value of that alert (otherwise it contains 0).

**Note:** These outputs will only be populated if the target Pull Request was opened by Dependabot and contains
**only** Dependabot-created commits.
Expand Down
13 changes: 13 additions & 0 deletions action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,9 @@ branding:
icon: 'search'
color: 'blue'
inputs:
alert-lookup:
type: boolean
description: 'If true, then call populate the `alert-state`, `ghsa-id` and `cvss` outputs'
github-token:
description: 'The GITHUB_TOKEN secret'
required: true
Expand All @@ -22,6 +25,16 @@ outputs:
description: 'The `package-ecosystem` configuration that was used by dependabot for this updated Dependency.'
target-branch:
description: 'The `target-branch` configuration that was used by dependabot for this updated Dependency.'
previous-version:
description: 'The version that this PR updates the dependency from.'
new-version:
description: 'The version that this PR updates the dependency to.'
alert-state:
description: 'If this PR is associated with a security alert and `alert-lookup` is `true`, this contains the current state of that alert (OPEN, FIXED or DISMISSED).'
ghsa-id:
description: 'If this PR is associated with a security alert and `alert-lookup` is `true`, this contains the GHSA-ID of that alert.'
cvss:
description: 'If this PR is associated with a security alert and `alert-lookup` is `true`, this contains the CVSS value of that alert (otherwise it contains 0).'
runs:
using: 'node12'
main: 'dist/index.js'
113 changes: 90 additions & 23 deletions dist/index.js

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading